Computer Security Integrity
Computer security Integrity
Olivier Markowitch Hash functions
A hash function, h, converts a binary string of arbi- trary size into a fixed-size n-bit string
If the input size > n then collisions happen
1 Hash functions properties
Compression: converts a binary string of arbitrary size into a fixed-size n-bit string
computation efficiency: h(x) must be efficiently com- putable
2 Hash functions in cryptography
Hash functions are used in:
• manipulation detection codes (MDC): to manage data integrity
• message authentication codes (MAC): to manage data integrity and source authentication
MDCs are divided into two classes: one-way hash functions (OWHF) and collision resistant hash func- tions (CRHF)
3 Cryptographic hash functions
Cryptographic hash functions have additional proper- ties : let x and x0 be inputs and let y and y0 be the corresponding outputs
1. preimage resistance: for at most all output y of h(), it must be computationally infeasible to find a preimage x0 such that h(x0) = y
2. second preimage resistance: given x and y = h(x), it must be computationally infeasible to find a second preimage x0 6= x such that h(x) = h(x0)
3. collision resistance: it must be computationally infeasible to find two inputs x and x0 such that h(x) = h(x0)
4 Definitions
A one-way hash function (OWHF) is a hash function that respects the properties of preimage resistance and second preimage resistance
One-way hash functions are also called weak one-way hash functions
A collision resistant hash function (CRHF) is a hash function that respects the properties of second preim- age resistance and collision resistance
Collision resistant hash functions are also called strong one-way hash functions
5
Keyed and unkeyed hash functions
A message authentication code (MAC) is a functions hk() parameterized by a secret key k and that re- spects the following properties:
1. efficiency: for a known function hk(), given a value k and an input x, hk(x) is easy to compute
2. compression: hk() maps an input x of arbitrary finite soze to an output hk(x) of fixed length n
3. computation-resistance: for a value of k unknown to an adversary, given zero or more pairs (xi, hk(xi)), it is computationally infeasible to compute any pair (x, hk(x)) for any new input x 6= xi
Detection manipulation code (MDC) are unkeyed hash functions
7
Iterative hash function
h(x) = g(Ht) H0 = initial value Hi = f(Hi−1, xi) with i ∈ [1, t]
x = x1 . . . xt with |xi| = r for i ∈ [1, t]
9 Hash function: ideal security
An unkeyed hash function that produces n-bit outputs is said to have an ideal security if:
1. given a hash output, producing a preimage or a second preimage requires approximately 2n op- erations
n 2. producing a collision requires approximately 22 operations
10 MDC in practice
Manipulation detection codes can be:
• build using a symmetric bloc cipher
11
MDC in practice
Manipulation detection codes can be:
• build using a symmetric bloc cipher
• customized hash functions: MD4, MD5, SHA-1, RIPEMD-160
15
MDC in practice
Manipulation detection codes can be:
• build using a symmetric bloc cipher
• customized hash functions: MD4, MD5, SHA-1, RIPEMD-160
• build using modular arithmetic: MASH-1
22
MAC in practice
Message authentication codes can be:
• build using symmetric bloc ciphers
24
CBC-MAC
If the optional part is not realized:
Let x a one-bloc input
Let M = CBC-MAC(x)
CBC-MAC(M) = CBC-MAC(x |0 ... 0) where | is the concatenation and where the size x |0 ... 0 is two blocs
26 MAC in practice
Message authentication codes can be:
• build using symmetric bloc ciphers
• build using MDC
27 MAC in practice
A MAC can be constructed from an MDC algorithm by including a secret key k as part of the MDC input
If the MDC follows an iterative construction
H0 = initial value Hi = f(Hi−1, xi) avec i ∈ [1, t] h(x) = Ht
Then MAC(x) where x = x1 . . . xt can be build as hk(x) = h(k|x). This construction must be avoided
The construction hk(x) = h(x|k) can be dangerous if collisions can be found for the function h()
Therefore, it is suggested to compute hk(x) = h(k|x|k)
28 MAC in practice: HMAC
Let opad (outer padding) be a bloc = 0x5c5c5c5c5c
Let ipad (inner padding) be a bloc = 0x3636363636
HMAC(k, x) = h ((k ⊕ opad) |h ((k ⊕ ipad) |x))
29 MAC in practice
Message authentication codes can be:
• build using symmetric bloc ciphers
• build using MDC
• customized hash functions: MAA, MD5-MAC
30
Integrity
Data integrity ensures that a data has not been al- tered in an unauthorized manner (no matter that the data is stored or transmitted) data source authentication is based on a shared se- cret key (but the entities that share the secret key can not be distinguished)
When mechanisms that prevent reply attacks are used, we have transaction authentication
34 Integrity
Integrity can be obtained with:
• error detection/correction mechanisms
• message authentication code (MAC)
• manipulation detection code (MDC) used with an authenticated channel
• MDC + encryption
• MAC + encryption
35
MAC+ encryption
hk(x) = Ek(x|hk0(x))
But, we have to avoid:
• k = k0
• hk0 = CBC-MAC without the optional part
• Ek = symmetric bloc encryption in CBC mode that is identical than the one used in the CBC- MAC
• same initial value in CBC-MAC and in Ek
37 Birthday paradox
When considering 23 people, the probability that at least two of them have their birthday on the same day (not taking into account the year of birth) is approxi- matively equal to 50 percent
38 Birthday paradox
Let h be a hash function, h : X → Z, where X and Z are finite sets such that |X| > |Z|. Let |X| = m and |Z| = n
Consider k messages xi ∈ X chosen randomly (with i ∈ [1, k]
What is the probability that two different xi have the same image (i.e. produce a collision)? zi = h(xi) for i ∈ [1, k]
We can consider that the zi are random values (what is reasonable when considering the output of a cryp- tographic hash function) since the xi are chosen ran- domly
39 Birthday paradox
The probability that all the zi are distinct is:
1 2 k − 1 k−1 i 1 1 − 1 − ... 1 − = Y 1 − n n n i=1 n
1 where 1 is the probability to draw z1, 1 − n is the i probability to draw z2 6= z1, ... , 1 − n is the prob- ability to draw a zi distinct from z1, . . . , zi−1
40 Birthday paradox
k−1 k−1 Y i Y − i 1 − ≈ e n i=1 n i=1
−x x2 x3 −x because e = 1 − x + 2! − 3! ... , and e ≈ 1 − x if x is small
i k here x = n with at most x = n and k ≤ n
i i −n Therefore: 1 − n ≈ e
41 Birthday paradox
k−1 ( 1) Y i −1 Pk−1 i − k− k 1 − ≈ e n i=1 = e 2n i=1 n because n n(n + 1) X i = i=1 2
42 Birthday paradox
Let P 0 be the probability that there is no collision, we have:
k−1 i Y 1 − = P 0 i=1 n
−(k−1)k P 0 ≈ e 2n
0 (k−1)k ln(P ) ≈ − 2n
2n ln(P 0) ≈ −(k − 1)k
2 ln( 1 ) 2 n P 0 ≈ k − k
2 ln( 1 ) 2 n P 0 ≈ k (by neglecting k in comparison with k2)
43 Birthday paradox
q 2 ln( 1 ) 2 2 ln( 1 ) n P 0 ≈ k , donc n P 0 ≈ k
Let P be the probability that there is at least one col- lission: P = 1 − P 0 q 1 2n ln(1−P ) ≈ k
1 If P = 2: q 2n ln(2) ≈ k
√ 1, 386n ≈ k
√ 1, 177 n ≈ k
√ k is in O( n)
44 Birthday paradox
If the outputs of a cryptographic hash function are on 64 bits (|Z| = 264), when testing 232 messages the 1 probability to find a collision surpasses 2
r More generally, if |Z| = 2r, when testing 22 mes- 1 sages the probability to find a collision surpasses 2
This explain the ideal security of cryptographic hash functions
45 Birthday paradox
If X = {humans} and Z = every 365 days (birth- √ days), |Z| = 365 = n, we have: 1, 177 n = √ 1, 177 365 ≈ 23
When considering 23 people, the probability to find two people out of the 23 that have their birthday the 1 same day surpasses 2
3 √ With P = 4, we have k ≈ 1, 66 n,, therefore if n = 365 we have k ≈ 32
With P = 99%, we have k ≈ 58
46